Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

TrueCrype - Finding ballance between usability and security

Posted on 2011-09-13
7
Medium Priority
?
508 Views
Last Modified: 2012-05-12
I have a file server in a location which is a little out of the way. I understand that encrypting the system drive with TrueCRYPT means that authentication happens pre-boot. This would mean that physical access to the server is required after each restart (currently all [software] admin work is done through remote desktop).

My questions are:

a), does encrypting the sys drive increase data security if confidential information is already encrypted on an external drive, and the OS is basically a clean install shell....

b), if sys drive encryption is to be used, is it possible to have automatic encryption authentication? Does this sound a little pointless?!? The user account would still have a password though...

Feedback welcome!

Thanks guys
0
Comment
Question by:mpaert
6 Comments
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 1000 total points
ID: 36534443
As for encrypting the system drive, keep in mind that Windows does all kind of things all over the place, storing temporary files, swap files, etc on the system drive, so you have no say-so over where confidential information might end up at when being loaded off of the external drive. From that point of view, yes, encrypting the system drive will increase the security of the data.

Not sure what you mean with the encryption authentication though ...
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 36550086
Hi,

Do you have a KVM over IP solution on the server such as ILO or DRAC - would having access to this not enable you to authenticate via that console?

Regards.


RobMobility.
0
 
LVL 57

Accepted Solution

by:
McKnife earned 1000 total points
ID: 36554064
First of all: are you open to alternatives?
If your server (what OS?) would be windows server 2008, you could use bitlocker. And IF, yes, if the mainboard supports it, let bitlocker use the TPM chip of the board. This would be a wholedisk encryption without a password and the need for someone to be present at reboots.
"Would that be secure", you might ask. It depends. If someone manages to cold boot attack your server (see http://www.youtube.com/watch?v=JDaicPIgn9U for a demonstration), your data will be lost. Second way to get to your data would be the infamous Firewire hack http://www.youtube.com/watch?v=5N-C5s_07Ts - applicable only if a firewire port is present.
So you see, there are ways in and those are realistic. To have an entire system encrypted AND 100% secure AND handsfree (no password) is NOT possible - period.
------------

What IS possible handsfree is using truecrypt together with a keyfile. Let me explain:
Your file server (windows, I suppose) will have 2 partitions, OS and data. If you don't care about the OSD partition (you should not need to care about the pagefile, because the restricted documents do not get worked on at the server itself), just use Truecrypt to encrypt the data partition using no password but a keyfile (TC offers to do so). Now place that keyfile on a share of a remote server that noone has physical access to but you. Share permissions and NTFS permissions of that keyfile will have to be restricted, too (in our domain, we use the system account: fileserver$)
Next, create a scheduled task on your file server that uses truecrypt.exe scripted (batch script). TC can mount your whole partition using that keyfile totally unattended that way. Afterwards restart the server service with that script, too, to recreate the shares [shares are created at system startup normally - as we have to mount first, we need to use sc.exe to restart the server service afterwards]. Done. This is how our company solved that problem.

Now what would happen if a thief comes and steals the server? The data partition is encrypted, the thief would need the keyfile. Without, he is lost. So his only possibility to get to the data would again be the cold boot attack and firewire BUT this time he would have to perform this attack while the data partition is mounted which means RIGHT AT YOUR COMPANY and not in his cosy hideout with lots of time and planning. Once he turns off the machine, the keyfile is gone.

Two last things:
1 you will need to be aware that this keyfile is really important and keep a backup of it secured somewhere. Best would be to keep it on two server's shares and use the second one if the first one is not available. Remember: both of these servers need to be physically secured.
2 Adjust your file server backup to your new needs.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 57

Expert Comment

by:McKnife
ID: 36554075
One more thing about the scheduled task that does the mounting: it must be run at system startup (and as I proposed using the account: system which does not need a password to be entered=leave it blank if asked for one).
0
 
LVL 57

Expert Comment

by:McKnife
ID: 36582250
> Feedback welcome!
Same on my side :)
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37158293
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Experts Exchange expands question security options for members.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question